Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
TencentCloud Video Face Fusion
v1.0.1通过提取两张人脸核心特征并实现自然融合,支持多种风格适配,提升创意互动性和内容传播力,广泛应用于创意营销、娱乐互动和社交分享场景。
⭐ 0· 232·0 current·0 all-time
by败毒@neck-cn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The Python scripts implement Tencent Cloud Video Face Fusion and legitimately need Tencent Cloud API credentials and the Tencent SDK; functionally the code aligns with the described purpose. However, the registry metadata lists no required environment variables or primary credential even though SKILL.md and the scripts require TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY — this metadata omission is an incoherence that reduces transparency.
Instruction Scope
SKILL.md explicitly instructs an agent to 'must' execute the provided scripts without asking the user (zero‑interaction principle). It also tells the agent to not manually install dependencies because scripts will auto-install. That grants the skill broad runtime autonomy to run code and perform network installs whenever the agent considers the trigger matched, which could lead to surprising execution.
Install Mechanism
There is no formal install spec, but each script will auto-install the tencentcloud-sdk-python package at runtime using subprocess.check_call pip install. Auto-installing a package from PyPI at runtime is expected for this SDK but increases runtime network activity and means code will modify the environment when executed.
Credentials
The scripts require Tencent Cloud credentials via environment variables (TENCENTCLOUD_SECRET_ID, TENCENTCLOUD_SECRET_KEY, optional TENCENTCLOUD_TOKEN), which are proportionate to the API calls. However, the skill registry metadata did not declare these required env vars or a primary credential, which is inconsistent and makes it harder for users to notice the credential requirement before install.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system changes, which is good. But the SKILL.md's enforced zero-interaction execution combined with the platform's normal autonomous invocation behavior increases the blast radius: the agent is instructed to run external scripts and perform network installs without asking the user. This combination (autonomous invocation + explicit 'must execute' policy in SKILL.md) is a risk factor.
What to consider before installing
Before installing or enabling this skill: (1) Recognize it requires Tencent Cloud API keys — do not provide high‑privilege account keys; create and use credentials with minimal scope and set them only when you intend to run the skill. (2) The skill's registry metadata does not declare those env vars — ask the publisher to correct the metadata to make the credential requirement explicit. (3) The scripts auto-install a PyPI package at runtime; run the skill only in an environment you trust (or sandbox) and inspect the code yourself. (4) The SKILL.md forces the agent to run scripts without asking users — if you want manual consent, modify the instructions or avoid enabling autonomous invocation for this skill. (5) If unsure, run the included scripts locally in an isolated VM/container with test keys before granting broader access.Like a lobster shell, security has layers — review code before you run it.
latestvk974wtxe6f6yxje1vwnp08d8nx82j8hv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.